LinkedIn Sued For $5 Million For Failing To Protect Passwords During Breach

A LinkedIn user has filed suit against the business for $5 million, claiming the networking site failed its members by not doing enough to protect the 6.5 million passwords that were leaked in a recent hack attack.

The lawsuit seeks class action status, and was filed by an Illinois woman who says LinkedIn royally messed up when it came to safeguarding its users’ passwords. The suit claims the business social network failed its privacy policy, which says it will protect its 160 million users’ passwords with industry-standard protocols and technology.

The bone of contention picked by the lawsuit is that LinkedIn only protected passwords with a form of security called “hashes,” instead of also “salting” them, another kind of security, reports the Los Angeles Times.

“Industry standards require at least the additional process of adding ‘salt’ to a password before running it through a hashing function,” the lawsuit claims. “This procedure drastically increases the difficult of deciphering the resulting encrypted password.”

A LinkedIn spokeswoman says that none of its users’ accounts were breached as a result of the hack attack.

“Therefore, it appears that these threats are driven by lawyers looking to take advantage of the situation,” she said in an email statement. “We believe these claims are without merit, and we will defend the company vigorously against suits trying to leverage third-party criminal behavior.”

After the attack, LinkedIn announced it would now be salting its users’ passwords.

Comments

Edit Your Comment

> A LinkedIn spokeswoman says that none of its users’ accounts were breached as a result of the hack attack.

And how would they know that? How do they know some guy in China hasn’t logged into my account just to see if the password worked so that they could then target other sites using my same email address & password combination? (Not that I use the same password anywhere else, but you can rest assured that a LOT of users do)

The spokesman was probably being disingenuous. The attacker probably logged into a couple of accounts to see if they worked. However, what the attackers got was a list of usernames and hashed passwords. Even using the weaker unsalted hash, it would take time to decrypt the passwords. By the time a significant number were decrypted, LinkedIn had locked the accounts and forced users to reset their passwords.

The damage to the linkedin site itself from an attack like this is pretty limited. Most accounts are not attached to credit cards, and if any credit cards were stolen, nobody has mentioned it. The problem is that people persist in using the same password on multiple websites. So once an attacker gets a list of passwords, they’ll try them on BofA, Citibank, etc, until they get a hit. Is that LinkedIn’s fault? Or is it the user’s fault, for reusing passwords?

I think it’s both. The reason people reuse passwords so much is because every site requires a password, and they come up with ever-weirder requirements about length, special characters, and how often you have to change things. People simply can’t remember all that. It’s a mis-match between the industry standards and what a user can actually remember.

I think there is an xkcd where they talk about how a password like “horsechocolatebigfeet” is better than one like “c7ali3!&^” in security, and easier to remember, but security “experts” keep pushing us toward the latter. Further, regularly changing a password does almost nothing to improve security.

The xkcd comic mentioned the password “tr0ub4dor&3″ has about 28 bits of entropy (a computer making 1000 guesses/sec would take about 3 days to figure out) and is hard for the user to remember, but “correcthorsebatterystaple” has about 44 bits of entropy (same computer would take 550 years to figure out) and is easy to remember.

Thank you. That sums it up completely for me. I worked at a company that had us change passwords every six weeks to comply with HIPAA, so of course everyone had post-its with their passwords on their computers.

That xkcd is great. Related to that check out diceware passphrases: http://world.std.com/~reinhold/diceware.html You can generate some pretty strong, yet easy to remember phrases; and since they are just generic words you could somewhat safely write down the words – separately and inconspicuously and still keep it fairly secure (obviously writing the full username and passphrase on a post-it and putting it under your keyboard is probably not going to be very secure).

Yeah, I use that particular xkcd in a class I teach. Agree completely about the ridiculousness of the whole password thing. I have a locked bin in my office, and the only reason it needs to be locked is because I have a list of passwords for random things I have to log into. I’m the computer security person, so if I got caught looking on the post-it under my keyboard to get a password, I’d either be laughed at or fired, depending on who caught me.

The problem is, though, that until we go to something besides passwords, the password reuse problem is always going to be there. At work, I have a piece of paper in a locked bin. For my personal stuff, I have keepass loaded onto a thumb drive.

Give me a break… $5,000,000? So how should users be compensated for a website they don’t even pay for?

Let me guess… the person suing feels they were harmed to the tune of $100k, the lawyers who want it to be a class action will need $3.2M, and the remainder can be given to the 6.5M users who had their passwords stolen in the form of a coupon for future paid services.

My reaction was that either 160M users were harmed in some substantial way, which means that $5M is way too low ($0.03 apiece?), or there wasn’t any significant harm, which means that $5M is way too high. But $5M seems to just be a number that someone picked out of thin air.

The alternative of course being that websites can post blatant falsehoods in their privacy policies and print the personal details of every member on their front page with absolute impunity because well, what’s the real harm?

Just another example of million-dollar executives up the fuck and never having to justify or explain themselves.

I agree, but I don’t see it as a standard practice in the industry. I think it should be, but of all the companies I’ve consulted with, only really big companies do and not even all of them (Big > $1,000,000,000 revenue/year).

That should be changed. That is why for all the hyperventilating people are doing about suing over a free service or about the amount of money involved or even who ends up getting the money, this will ultimately be a good thing.

If a user can successfully extract 7 or 8 figures from a company for not being diligent enough about securing personal information, that will give other companies a reason to reflect on what they’re doing and make changes where changes are needed.

Yep. It’s an industry standard. It’s not THE industry standard. There are probably thousands of vetted protocols and standards regarding authentication, so finding one standard that isn’t being used and treating it as the holy grail is BS.

If you really want a scare, practically any website that has a short (under 12 characters) limit on password length is probably storing it as plain text. That seems to include a lot of banks, for some reason…

Let me be the first to inform you that yes, in fact, “no harm no foul” is a foundational concept in tort law (civil lawsuits). To even have standing in court (“standing” means you are qualified to bring a suit), literally the first thing you must demonstrate is “INJURY”. No injury, no lawsuit; no harm, no foul.

That said, “injury” can be widely interpreted. Plus, injury is not required for criminal law, nor for things like fines. The government can fine you for simply breaking a law. Still, in order to succeed in a lawsuit, you have to show a plausible injury.

What makes LinkedIn any more special than Sony, Steam or anyone else that has had security breaches and lost passwords? Because it is “professional”? I think if this goes through, everyone that has lost passwords should be able to sue every company that has lost their info.

In computer security, there’s little that passes for industry standards in a situation like this. There are standards for protecting credit card info, but since apparently no credit card info was leaked, it’s doubtful that those standards apply here. The banking, health care, and government all have legal compliance requirements that don’t really apply here, but the sad little secret is that there isn’t really much in the way of “industry standards” for website security. There are some best practices, but only a small number of companies actually follow those best practices in any sort of coherent and complete way, so I’m not sure they could really be called “standard”. I agree that LinkedIn screwed up and should have been doing a better job, but I doubt that they were doing anything worse than Sony or Steam. I can guarantee that, given the type and magnitude of the Sony and Steam breaches, that there was some best practice that those companies weren’t following.

I doubt she can get anything, unless she has real dollar damages. It would be different if it was an Amazon.com account, and someone hacked into it, made purchases etc, and Amazon didn’t make her whole again, by refunding her money.

I’ve had a LinkedIn account for a few years now, but even before the recent password/hack problem, I have been wondering if I should keep the LinkedIn account or simply delete it. I don’t find much in the line of value by using it despite the fact that I’m unemployed. And yes I was told to change my password just like many.

I think a lot more has been made about this than warranted. I do fault LinkedIn for lax security measures allowing the passwords to be captured. However if I understand the situation correctly, it was only the passwords, not the user IDs that were compromised. While that in and of itself is bad, it’s not “account compromised” bad… someone would still have to spend a LOT of time correlating the users with passwords, and if everyone changed their password after the leak, that would be impossible.

I got talked into joining LinkedIn a few months ago for my small business.

Even though some claim it’s a great way to do business networking, the more I see the more I get creeped out.

God help you if you post any type of telephone number: It’s a red flag yelling ‘TELEMARKET ME”. Even though I’ve pulled my phone number off my profile, I’m still getting calls from shady sounding “business consultants” telling me about how (for a fee, of course) they can get me tens of thousands of bucks in “free” government money.

It also appears they can automatically harvest saved e-mail addresses in my att.net e-mail account. This is the only possible way they would have known who my landlord/leasing agent is before suggesting I send them an invitation to join my friends list.

Here is the problem with this lawsuit. She is filing this as a breach of contract case. She must show two things, they breached, AND the associated damages caused by the breach. Her first hurdle will be to prove that the ONLY industry standard is salting. If every company other than LinkedIn uses salting, she has a case. My understanding is, not every company out there does this. Her second hurdle will be to prove damages. Let’s say this was not online. A person picks the lock on your door. He does not enter your home. Nothing is stolen. No third party enters your home and takes anything. You can say he picked your lock, but if nothing is stolen, and you have no financial loss, you are shit out of luck when it comes to damages.

Finally, I am pretty sure there is no agency forcing you to join their site. The fact that she might use the same password in other places is really something SHE needs to deal with, not LinkedIn. In fact, “industry standards” say that people should not use the same password for all their accounts.